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Abstract — We investigate the existence of secure bit com- 
mitment protocols in the convex framework for probabilistic 
theories. The framework makes only minimal assumptions, and 
can be used to formalize quantum theory, classical probability 
theory, and a host of other possibilities. We prove that in all 
such theories that are locally non-classical but do not have 
entanglement, there exists a bit commitment protocol that is 
exponentially secure in the number of systems used. 

I. Introduction 

In the 1984 paper [1] in which they introduced information- 
theoretically secure quantum key distribution, Bennett and 
Brassard also considered the possibility of information- 
theoretically secure bit commitment. Bit commitment is a basic 
primitive in classical cryptography, to which many practically 
important cryptographic tasks, such as secure function evalua- 
tion, can be reduced. In a bit commitment protocol, one party, 
usually called Alice, performs some act that is supposed to 
irrefutably convince another party, Bob, that she has irrevoca- 
bly committed to a value, or 1, of a bit, without leaking any 
information about the value of the bit to Bob. Later she can 
perform another act that reveals the value of the bit to Bob 
and enables him to perform some test that may be necessary 
for him to verify that she was indeed committed. Classically, 
bit commitment can be achieved with computational security, 
but not with information-theoretic security. 

Bennett and Brassard showed that the bit commitment 
scheme they considered could be defeated by the use of 
entangled states. Attempts were made [2] to construct secure 
bit commitment protocols, but Lo and Chau [3], and indepen- 
dently Mayers [4], showed that an entangled attack akin to 
Bennett and Brassard's defeats all quantum bit commitment 
protocols, and there is now a solid consensus that this does 
indeed cover all reasonable schemes and attacks [5]. 

Soon after this development, Brassard [6] and Fuchs [7] 
asked whether the impossibility of bit commitment might be 



a manifestation of a deep information-theoretic property of 
quantum mechanics, fit for a crucial role in an information- 
theoretic characterization, or reconstruction, of the formalism 
of quantum theory. Such a reconstruction, at its most am- 
bitious, is envisioned as similar to Einstein's reconstruction 
of the dynamics and kinetics of macroscopic bodies on the 
basis of simple principles with clear operational meanings 
and experimental consequences. As argued in (for example) 
[8], [9], [7], such a reconstruction could lend force to the 
view that the foundations of quantum mechanics are properly 
couched in terms of information, a view which has received 
increasing attention with the rise of quantum information 
science. Short of this ambitious goal, there are still strong 
reasons to pursue an informational characterization of quantum 
mechanics. It should lead to a principled understanding of the 
features of quantum mechanics that account for its better-than- 
classical information processing power. Such an understanding 
could help guide the search for new algorithms and protocols, 
both positively, by providing conceptual tools to exploit in a 
variety of settings, and negatively by identifying information- 
processing tasks requiring properties that quantum mechanics 
lacks. 

Brassard and Fuchs' conjecture was that the impossibility of 
bit commitment might, in conjunction with the possibility of 
secure secret key distribution and the impossibility of instan- 
taneous signaling between distinct physical systems, suffice 
to characterize quantum theory. Clifton, Bub, and Halvorson 
proved a result (the CBH theorem) [8], close to this conjecture 
in the framework of C* -algebraic theories. They demonstrated 
the existence of a protocol related to the no-bit commitment 
theorem, but weaker, between two "local" algebras, whenever 
the local algebras are not commutative (not classical) and 
there are entangled states between the algebras. However, 
in finite dimensions, C* -algebraic theories are essentially 
quantum mechanics with superselection rules, so in our view, 



a much broader framework is desirable. Further evidence 
for this view is Halvorson's demonstration [10] that no-bit- 
commitment follows from no-signaling and no-cloning within 
the C* -algebraic framework. To obtain the most illuminating 
characterization of quantum mechanics in terms of information 
processing, one should work in a framework wide enough to 
include not only quantum and classical mechanics, but also a 
wide variety of other theories that can serve as foils to them; 
the C*-algebraic framework is too restrictive. 

It is therefore an open question whether non-classical the- 
ories without entanglement are ruled out by demanding the 
impossibility of secure bit commitment, in some appropriately 
broad framework. In this paper, we answer that question in the 
affirmative. We work in a framework that allows for a wide 
range of probabilistic theories, including not only quantum 
and classical theories, but also theories of Popescu-Rohrlich, 
or nonlocal, boxes [11], [12] that allow nonlocality stronger 
than that in quantum mechanics, as well as many other types of 
theory. For any nonclassical theory within the framework that 
does not permit entanglement between systems, we construct 
a bit-commitment protocol that is exponentially secure in the 
number of systems used. 

We proceed as follows. First the framework of generalized 
probabilistic theories is introduced and our bit-commitment 
protocol is defined. We then prove that such a protocol 
always exists in a non-classical theory. Next, we prove it 
to be exponentially secure in all theories that don't allow 
entanglement. Finally we give a summary and discussion. 

II. The Framework 

The framework is that of convex operational or gener- 
alized probabilistic theories, for which no-cloning and no- 
broadcasting theorems were proved in [13], [14], to which 
we refer for further background. The set of normalized states 
of a system is a compact convex set ft C R d . Embed ft 
in R d+1 , avoiding the origin, and let Cone(f2) be the set 
of linear combinations of elements of H, with nonnegative 
coefficients — the convex cone of unnormalized states. Its dual 
cone, Conc(f2)*, consists of those linear functionals from 
R d+1 to M. that are nonnegative on Cone(fi). Measurement 
outcomes are represented as effects: functionals e G Cone(fi)* 
satisfying e{u) < 1 for all ui G ft. e{u) is the probability 
of outcome e for a system prepared in state u. Equivalently, 
effects are elements of the interval [0,u] in the dual cone, 
whose endpoints are the zero functional and the unit functional 
u that gives 1 on all normalized states. Measurements are sets 
{ej} of effects with J2i e i — u (i- e - ^ w e ^> J2i e ii u ) = !)• 

For two state spaces, Qa and fie, a spectrum of possible 
"tensor products" is identified — these are candidates for de- 
scribing a composite system built from subsystems with state 
spaces ft a and Hb- In this work we need only one: 

Definition: The minimal tensor product Ha <8> J7_b is the 
convex hull of the set of product states (iva, ^b) € VLa xfig. 

This generalizes the quantum-mechanical construction of 
the unentangled or separable density matrices. The general 
framework requires only that a tensor product be convex, 



contain the minimal tensor product, and be contained in what's 
known as the maximal tensor product, of less interest here. 

To describe quantum theory in this framework, £1 is chosen 
to be isomorphic to the set of density operators on a Hilbert 
space and Cone(f2) is the set of positive operators. The 
quantum tensor product lies strictly between the minimal and 
maximal tensor products. In classical theory, is a simplex of 
probability distributions, i.e. the convex hull of d + 1 linearly 
independent points in R d+1 , and the maximal and minimal 
tensor products coincide so there is no choice. Classical 
theories are, equivalently, characterized by the property that 
any state in ft has a unique convex decomposition into pure 
(extremal) elements. 

It is important to specify the dynamics of theories in this 
framework, because this specifies what Alice and Bob can 
do to their systems. In this framework, dynamics are positive 
linear maps C : R d+1 -> R d+1 , i.e. ones that take Cone(O) 
to itself. Thus they take (not-necessarily-normalized) states 
to states. Further, they must be norm-nonincreasing: for all 
states u G Conc(£l), u(C(uj)) < u(w); we use the term 
operation, standard for the quantum case, to denote these. 
The map ec : u> *-* u(C(u>)) is an element of [0,u], and 
is interpreted as an effect (measurement outcome) associated 
with the dynamics C. Thus for normalized lu and positive C, 
e c {uj) is interpreted as the probability with which the state 
undergoes C When ec — u, the map is norm-preserving; it 
is an unconditional dynamics not associated with obtaining a 
particular measurement outcome. 

Early work on cryptography using stronger-than-quantum 
nonlocal correlations, including [15] and [16] where entangled 
correlations enabled bit commitment, did not situate these 
correlations in a unified framework describing dynamics, mea- 
surement, and state preparation such as the one we use here. 

The assumptions embodied in this framework [14] are fairly 
minimal. Two are substantive: first, the "local observability" 
assumption effectively states that there are no "intrinsically 
nonlocal" degrees of freedom that cannot be determined by 
making repeated local measurements on the subsystems of 
identically prepared systems. Second, a "no-signaling" con- 
straint, which it is reasonable to take as the definition of what 
we mean by an independent subsystem. 

Our protocol uses the fact that any nonclassical state- 
space contains states that have more than one distinct convex 
decomposition into pure states. Alice encodes which bit she 
has committed to as a choice of one out of two such de- 
compositions. The security analysis we give requires that the 
two sets of pure states used in the decompositions be disjoint, 
and that all the states be exposed, but this can be achieved in 
any nonclassical state space. A state is exposed if there is a 
measurement outcome whose probability is 1 in that state, and 
strictly less than 1 on any other state — an outcome that can be 
guaranteed by that state, and only by that state. We call such 
an effect the distinguishing effect for the state in question. It 
is immediate from the definitions that exposed states are pure. 

We write cl(5), conv(S'), and Exp (5) for the topological 
closure, convex hull, and set of exposed points of a set S. 



III. The Protocol 

Let a system have a non-simplicial, convex, compact state 
space £1 of dimension d. The protocol uses a state fj, that has 
two distinct convex decompositions {(p° , $ )}, {{p), m})} mto 
finite disjoint sets of exposed states, that is, 

JV° N 1 

i=i j=i 

In the honest protocol, Alice first decides on a bit b G {0, 1} 
to commit to. She then draws n independent samples from the 
probability distribution (p\,p\, ■ ■ ■ ,p b Nb ), obtaining a string 
x = (xi,X2, ■ ■ ■ , x n ). She sends the state p^ = p b xi <g> p, X2 ® 
... (8) ^ n to Bob. 

In the reveal phase, she sends b and x to Bob. Bob then 
measures each subsystem of the state Alice sent in the commit 
phase. On the /c-th subsystem, he performs a measurement 
containing the distinguishing effect for p, x and aborts if the 
result is not the distinguishing effect. If he obtains the appro- 
priate distinguishing effect for every subsystem, he accepts. 

Example of protocol: If is the state space of a qubit, we 
can transpose the one-qubit protocol of [1] to our setting, 
can be visualised as the Bloch sphere in R 3 with pure states 
on the surface and their mixtures inside the sphere. Let p be 
the center of the sphere, i.e. the completely mixed state \l = 
il+X+l + i I > < I = i|0)(0| + where |0), |1> is a 

basis and |±> = ^(|0) ± Let p\ = |0}(0|, p\ = |1}(1|, 

lA = l+X+l. M2 = | — > < — | and p\ = |V*,6. In the n = 1 
case, if Alice decides to commit to b = for example, she 
would send Bob either |0) or |1), each with probability \. Say 
she sends |0). To reveal she tells him "6 = 0" and that she 
sent |0). Bob would then measure in the |0), |1) basis, find |0) 
and accept. In [1], Bennett and Brassard considered this n = 1 
protocol and showed it was completely nonbinding through an 
entangled attack. 

IV. Existence of the Protocol 

The existence of the protocol just described in any non- 
classical theory follows from: 

Theorem 1: Every nonsimplicial convex compact set Q 
of dimension d contains a state p, with two convex decom- 
positions into disjoint sets of exposed states, whose total 
cardinality is less than d + 2. 

The theorem follows from two lemmas. 

Lemma 1: Let O be a non-simplicial compact convex set 
of dimension d. Then the convex hull of any d + 2 pure states 
in ft contains a state p which has two convex decompositions, 

JV° N 1 

i=l J=l 

into disjoint sets of pure states, with N° + N 1 < d + 2. 

Proof: Let T := {pi, Pd+2} be an arbitrary set of d + 2 
pure states. Then conv(r) is non-simplicial because fi has 
dimension d. Choose a state uj with two different convex 
decompositions {(p°,p°),i = l,..,N } and {{p),p)),j <E 



1, iV 1 } into elements of T so that N° + N 1 is minimal. The 
sets {p®, . . . , [J? N0 } and {p{, . . . , ^jyi} are then disjoint. For if 
they had a state in common, say (reindexing if necessary) p\ = 
p\, then the (unnormalized) state u' := oj — mm.b{p\)p\ would 
also have two different convex decompositions, contradicting 
minimality. □ 

To show there are d + 2 exposed states we'll use the 
following special case of Theorem 18.7 of [17]. 

Theorem 2: A compact convex set Q C R d is the 
closure of the convex hull of its exposed points, i.e. O = 
cl(conv(Exp(fi))). 

Lemma 2: A nonsimplicial convex compact set ft of dimen- 
sion d has at least d + 2 exposed points. 

Proof: By Theorem 2, the closure of the convex hull of 
Exp(C) is equal to C, and therefore cl(Cone(Exp(C))) = 
Conc(C). Taking the closure of a convex subset (compact or 
not) of M™ can't increase the dimension of the subspace it 
spans, so the linear span of Exp(C) must be M d+1 , and we 
may pick a linearly independent subset of Exp(C), consisting 
of d + 1 exposed points. There must be an exposed point not 
in the convex hull of these d + 1 points, for if not the convex 
hull of the exposed extreme points of C would be a simplex, 
whence, using Theorem 2 and the fact that a finite-dimensional 
simplex is closed, C itself would be a simplex. □ 

Since exposed states are pure, Lemmas 1 and 2 immediately 
imply Theorem 1. 

V. Security of the Protocol 

We adapt our security definition from Ref. [18], simplifying 
to the setting where there is no communication from Bob to 
Alice. We start with the formal definition: 

Definition: Let e > 0. We say that a bit commitment 
protocol with one-way communication is e-secure if it has 
the following properties: 

• (e-soundness) Assume that both parties are honest. Then 
the probability that Bob aborts is at most e and, if he 
does not abort, then after the reveal phase he learns the 
bit b that Alice committed to. 

• (e-hiding) Assume that Alice is honest. Then for all cheat- 
ing strategies of Bob aiming to guess the committment 
before the reveal phase. q + q\ < 1 + e, where qb is the 
probability that Bob guesses correctly given that Alice 
committed b. 

• (e-binding) Assume that Bob is honest. Then for all 
commitments of Alice, pa + pi < 1 + e, where pb is 
the maximum probability that Alice successfully reveals 
b. 

If any of the above hold for e = 0, we say that the protocol 
satisfies that property perfectly. 

Our protocol is perfectly sound because if Alice is honest, 
the distinguishing measurements that Bob makes based on 
Alice's claim give the correct answers with probability 1. In 
general, one would consider the probability of either honest 
participant accusing the other of cheating, but in a one-way 
protocol, there is no provision for Alice to abort. 



The protocol is also perfectly hiding — there is no way for 
Bob to obtain information about the bit b during the post- 
commit, pre-revelation phase, as the state /u®" that (honest) 
Alice sent is independent of b. 

The nontrivial part of the security analysis is to show that 
the protocol is e-binding — to show that Alice can't cheat by 
choosing which bit to reveal after she is supposed to be 
committed to one or the other. In an ideal bit commitment 
protocol, Alice could use randomness to commit to with 
probability po and 1 with probabilities p% = 1 — po, so she can 
achieve any pair po,Pi in the definition such that po+pi — 1. 
Our protocol only allows her to do a little better. For example, 
if she wants to be able to reveal with probability 1, then the 
probability that she can reveal 1 is at most e. Although it is 
suitable for present purposes, we note that our definition of 
e-binding is too weak to establish composable security [19]. 

We'll need a lemma about measurements. 

Lemma 3: Suppose two exposed states [i ^ v have distin- 
guishing effects a and b. Let 



f(fi, v) := sup (a(w) + b{ui)) . 



(3) 



Then 1 < f(p, v) < 2. 

Proof: For the upper bound, the function a + b is linear and 
the set ft is convex and compact, so the supremum of a + b 
is achieved on a pure state uj'. Suppose a(w') + b(ui') = 2. 
Then we must have a(u>') = 1 and b(uj') = 1, which implies 
uj' = fj, = v, a contradiction. The lower bound follows from 
considering uj = fi. □ 

Now define S := min^^o ,i<j<m (2 - /(/i*, A 4 ))) , 
where ^ run over the states used in the protocol. Note that 
5 < 1, since at least one pair of states is not perfectly 

distinguishable. This quantity 6 will control the number n of 
systems we need to use to achieve e-security. 

The proof also uses the following description of an optimal 
set of strategies for a cheating Alice. 

Lemma 4: An optimal strategy for Alice is as follows: she 
tosses some coins and generates randomness A with probability 
weight p(X). She then prepares an arbitrary string of pure 
states ll>i ® ® ■ ■ ■ ® u>„- She sends them to Bob. In the 
reveal phase, she can send an arbitrary bit b and an arbitrary 
"claim sequence" x A h , that depends on the bit she wants to 
claim and the randomness. 

The state claim x x b , which is classical information, is 
encoded in perfectly distinguishable states of some systems 
r in the theory; it is easily shown that doing otherwise can't 
help Alice. 

Proof of Lemma 4: A general cheating strategy for Alice 
is to prepare an arbitrary state in T ® T® n <g) £l® n (where T 
is some state space in the theory), and then do a 6-dependent 
positive map C b on T (g> T® ™ just before sending T®" to Bob, 
in an attempt to reveal b. Letting r l be probabilities, r 6 T, 
7! 6 T, uj l k 6 O, the state before revelation is: 



r l r l <g> 7[ <g> • • • 7^ <g> uj[ (gi 



(4) 



After Alice attempts to reveal 6 it is: 

tp b := ^2 r l C h {r l (g> 7^ <g> • • • (g> 7^) (g> u[ ® ■ ■ ■ 



(5) 



.j-hnb -Irnb , 
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Let q> Lb = J2 r 

T®" induced by the state £ b (r l 
state of T®" ® fi®" is 



7„ be the marginal state on 
' 71 <8> ■ • ■ ® 7^). Then the 



X 



1 



Imb^lmb ^ 



Irnb , 



)0J\ <g> ■ 



(6) 



Bob will subject each copy of T to a standard measurement to 
read Alice's claim; the fc-th system will yield a value x with 
probability p l ™(x) determined by r ) l ^ n . Alice could achieve 
the same result by sampling the distribution of measurement 
results p\ n Bob would obtain from 7^ m , perhaps keeping a 
record q of the result of sampling, and sending a definite string 
x imqb ^ . . , x imqb f QT claim, encoded as distinguishable 
states that will definitely give this string of outcomes. Letting 
A stand for Iraq, we see that an optimal strategy for Alice is 
as described in the Lemma. □ 
Theorem 3: Our bit commitment protocol is e-binding with 
e = (l-S) n . 

Proof: Let a b be the distinguishing effect for fi b (b G 



{0,1}, i S {!,..., N»}). Define q b (X) 



b (iv^); this is 



the probability that uj£ passes the test Bob performs on the 
fc-th system in the reveal phase when Alice tries to reveal b. 
Then q®(\) + 9fe(A) < 2 — S, by our choice of 5. 

Since Bob only accepts if he accepts the state ui£ of each 
subsystem, we have: 

n n 

po+pi=j>( a ) n^w+n^w ■ w 

A U'=l k=l 

By convexity, we can fix some best choice for the randomness 
A and drop the label. An upper bound on 



Po 



(8) 



k=l 



k=l 



is obtained by maximizing it subject to < q^Qk — •"■ an< ^ 
<7fc + <7fc < 2 — S. We should saturate the second inequality, 
since adding to q , or q\ can only increase the right-hand side 
of Eq. ©. Now let Q| := Y[k=i. : n q b k , so that Po + Pi = 



k^k 



Q\(ft + Q\%- Since this expression is affine in g?, it's clear 



'k^k 



that if Q? > Qi, we should take = 1 and ql = 1 — 8, 



and vice versa if Q| > Q?. If Qi = Qr, then we can take 
either 5? = 1 and = 1 — S or use the opposite assignment. 
Therefore, 

Po+Pi< max {l-8) m + {l-8) n -"\ (9) 

m— 0.. [n/2] 

If < to < n/2, then we can increase the sum by moving 
a 1 - S term from (1 - 5) m to (1 - 8) n ~ m , from which it 
follows that 



Po + Pi < 



1 + (1 - 8) n 



if n is odd; 



c(l + (l-5)",2(l-(5)' i / 2 ) if 



n is even. 



For even n, note that 1 + (1 - 5) n - 2(1 - <5)"/ 2 = (1 - (1 - 
<5)™/ 2 ) 2 > 0, so the maximum is always achieved by the first 
term. This proves the theorem. □ 

VI. Related Work 

Winter, Nascimento, and Imai [20] found the optimal rate at 
which a discrete memoryless classical channel from Alice to 
Bob can be used to commit bits. Because the set of achievable 
output distributions may be a nonsimplicial compact convex 
body 57, and the channel allows Alice to prepare any distri- 
bution of products of states in this convex body, their setting 
has similarities with ours. But it permits only a fixed output 
measurement whereas ours permits any measurement of effects 
in the cone dual to this convex body. Our setting also differs by 
permitting unentangled nonclassical processing by Alice and 
Bob. Also, the discreteness of the classical channel implies 
that the set of possible output distributions for the channel 
is a polytope, whereas in our theories ft can be an arbitrary 
compact convex body. Finally, we do not calculate rates, but 
demonstrate exponentially secure commitment of a single bit; 
bounding the rate in our theories would be interesting, but it 
is not obvious what good analogues of the bounding entropic 
expressions in [20] would be. 

Wolf and Wullschleger (WW) [21] reach a conclusion 
qualitatively similar to ours, that in a setting more general than 
quantum theory, assumptions that rule out entanglement can 
provide a secure protocol. They have told us that their result 
will be strengthened in [22]. [21] assumes Alice and Bob have 
access to many independent uses of the same trusted bipartite 
box-pair, initially uncorrelated with anything else. The boxes 
have binary inputs and outputs, but WW state that extension to 
larger finite sets of inputs and outputs is straightforward. Under 
the very weak condition that one party's conditional state 
depends on the other's input, they provide a bit commitment 
protocol and a security proof. Our setting is more general as 
it does not assume a trusted joint Alice-Bob state. 

VII. Conclusion and Discussion 

In [13], [14], [23], it was shown that the no-broadcasting 
and no-cloning theorems, and the tradeoff between information 
gain and state disturbance, are generic in non-classical theories 
in our framework. For the project of characterizing quantum 
mechanics this focuses attention on properties, like the impos- 
sibility of bit commitment and the possibility of teleportation, 
that may not be generically non-classical. 

Within our framework, if one makes the plausible as- 
sumption that an information-disturbance tradeoff (which is 
equivalent to nonclassicality) allows secure key distribution, 
we may paraphrase the Brassard-Fuchs conjecture as saying 
that the impossibility of bit commitment characterizes quan- 
tum mechanics from among the nonclassical theories in our 
framework. We have shown that nonclassical theories in which 
bit commitment is impossible must have entanglement, but 
in contrast to the situation for the C* -algebraic framework, 
in the general framework that is very far from narrowing us 
down to quantum theory. An important open question, then, is 



what, if any, sorts of theories in our framework that do have 
entanglement, nevertheless permit bit commitment. 
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